< ciso
brief />
Tag Banner

All news with #secrets management tag

50 articles

AI-Accelerated Cloud Attack Exploits Management Gaps

🔎 A Sygnia report details how a lone threat actor leveraged AI to complete in 72 hours what would normally take weeks, using established cloud attack techniques rather than novel exploits. The attacker obtained an AWS access key via an internet-facing app and used agentic AI workflows to search for secrets, establish persistence, exfiltrate RDS data, and perform impact actions. The report highlights gaps in secrets management, identity governance, deployment workflows and visibility, and provides containment recommendations for defenders.
read more →

AWS Secrets Manager adds Paddle and GitLab support

🔐 AWS Secrets Manager now supports managed external secrets for Paddle API Keys and GitLab Access Tokens. This feature enables automatic rotation of third-party credentials directly from AWS Secrets Manager, using Paddle's native rotation API and GitLab's atomic rotation mechanism. Customers can rotate Paddle API keys with a configurable grace period and rotate GitLab Personal, Group, and Project Access Tokens. These integrations join existing partners and are available in all Regions where managed external secrets is supported.
read more →

Start Post‑Quantum Cryptography with Credentials

🔐 Today’s public-key cryptography faces a future threat from quantum computers that can render intercepted ciphertext and stored credentials decryptable. Agencies like the NSA and standards bodies such as NIST have set Q-day deadlines between 2027 and 2035 to phase in quantum-resistant algorithms, while enterprises face multi-year migrations. A practical approach is credentials-first: inventory secrets, prioritize long-lived, high-impact credentials, adopt hybrid cryptography, and design for crypto-agility to reduce Harvest Now, Decrypt Later risks.
read more →

Agent Toolkit Adds Secret Safety Skill for Agents

🔒 AWS Secrets Manager introduces a secret safety skill in the aws-core plugin for the Agent Toolkit for AWS, enabling AI coding agents to use secrets without exposing values to models or session logs. The skill prevents models from requesting raw secret values and prompts developers to clarify intent while constructing commands that reference secrets. A child process resolves secret references at execution time, keeping plaintext secrets out of agent context and logs. The feature is available across supported agent harnesses and Regions where Secrets Manager is offered.
read more →

Governing the growing ghost workforce risk

🛡️ Enterprises are facing an invisible workforce: non-human identities (bots, service accounts, API keys, tokens, certificates) that now often outnumber humans. These ghost identities authenticate constantly across environments and, when unmanaged, accumulate privileges and risks. The industry has seen incidents where forgotten or third-party machine identities enabled widespread breaches, and a looming 2026 certificate-expiration wave threatens cascading outages. Organisations must prioritise governance—discovering NHIs, assigning ownership, auditing privileges, and addressing imminent certificate expirations—before tool selection.
read more →

AWS launches Workload Credentials Provider for certs

🔒 AWS announced the AWS Workload Credentials Provider, a lightweight client-side tool that automates export and deployment of certificates from AWS Certificate Manager and local caching of secrets from AWS Secrets Manager. It removes the need for custom EventBridge-based automation for certificate renewals, supports Windows and Linux, and works with Apache and NGINX. The provider is open source and compatible with Secrets Manager Agent functionality.
read more →

AgentCore Identity supports customer-managed secrets

🔐 Amazon Bedrock AgentCore Identity now lets customers reference existing AWS Secrets Manager secret ARNs directly in Credential Providers. Previously, secrets were service-managed and created by AgentCore Identity, limiting tagging, CMK encryption, and governance controls. Customers can now create and manage secrets with their own policies and then reference the ARN without changing runtime behavior. This feature is GA in 14 AWS Regions.
read more →

Well‑Architected Software Supply Chain Best Practices

🔒 This AWS Security blog post outlines best practices for defending against software supply chain attacks, motivated by recent npm incidents like Shai‑Hulud and axios. It emphasizes reducing long‑lived credentials by using temporary credentials (AWS CLI login, IAM Identity Center, OIDC) and centralizing secrets with AWS Secrets Manager or Systems Manager Parameter Store. The article advocates layered defenses including MFA, multi‑approver workflows, artifact signing with AWS Signer, central package repositories using CodeArtifact, image scanning with Amazon Inspector, and provenance attestations for npm packages.
read more →

AWS Secrets Manager adds Datadog and Snowflake support

🔐 AWS Secrets Manager now supports managed external secrets for Datadog vended keys and Snowflake Programmatic Access Tokens, enabling automatic rotation of third-party credentials directly within Secrets Manager. The update covers Datadog API keys, Application keys, and admin credential pairs for service accounts. For Snowflake, Secrets Manager can rotate Programmatic Access Tokens using Snowflake's native authentication and offers a configurable grace period to minimize disruption. These additions join existing integrations such as BigID, Confluent Cloud, MongoDB Atlas, and Salesforce and are available in all Regions where managed external secrets is supported.
read more →

Practical Guidance for Securing Google API Keys

🔐 This post explains why API keys are sensitive credentials for accessing Google AI and Cloud services and why careless handling leads to misuse or billing abuse. It outlines simple, actionable steps: create keys in dedicated projects, apply API and application restrictions, and store keys in Secret Manager or equivalent. The article also covers detection and response—how to list keys, monitor usage metrics, delete compromised keys, and rotate keys to reduce risk.
read more →

Mini Shai-Hulud Hits Hundreds of AntV npm Packages

🚨 The Mini Shai-Hulud worm resurfaced in a coordinated supply-chain wave that published 639 malicious versions across 323 npm packages tied to the AntV visualization ecosystem on 19 May, lasting roughly an hour. Analysis by Socket and updates from Microsoft show the payload added preinstall hooks executing an obfuscated Bun bundle to harvest cloud and CI secrets. Many affected packages are high-download dependencies and the compromised maintainer account held rights to over 500 packages. Responders should pin pre-19 May versions, rotate exposed credentials and audit GitHub for forged repository activity.
read more →

Contractor Exposed CISA and GovCloud Credentials Publicly

🔒 A public GitHub repository tied to a suspected CISA contractor exposed plain-text credentials—AWS tokens, GitHub access tokens, Kubernetes files, workflows and internal documents—discovered on May 14 by GitGuardian. The repo, active since November 13, 2025, contained roughly 844 MB of data and was taken offline within a day after disclosure. CISA is investigating and reports no current indication of sensitive compromise. Experts recommend centralized secret management, automated secret scanning, strict vendor controls and MFA to prevent similar exposures.
read more →

Developer Workstations as Local Supply Chain Boundaries

🔐 Recent supply chain campaigns that struck npm, PyPI, and Docker Hub within a 48-hour window illustrate a shift: attackers now target developer environments and CI/CD contexts to harvest API keys, tokens, SSH keys, and cloud credentials. The piece explains how local repositories, .env files, package configs, and AI assistants concentrate sensitive context and delivery authority on individual machines. It urges security teams to treat the developer workstation as a local supply chain boundary and to align endpoint, identity, AppSec, and platform controls to detect, limit, and rapidly rotate exposed secrets.
read more →

Secrets Manager Agent Adds Pre-Fetching and Role Assumption

🔒 The AWS Secrets Manager Agent now supports pre-fetching secrets at startup and assuming an IAM role for retrieval. With pre-fetching you can specify a list of secrets or a tag to retrieve and cache via BatchGetSecretValue, reducing application startup latency and API overhead. The agent can also assume a provided role ARN per pre-fetch or HTTP request to enable cross-account secret retrieval. These capabilities are available in all Regions where Secrets Manager is offered.
read more →

Safer Vibe Coding: Security Tips for Nontechnical Teams

🔒 AI-assisted "vibe" coding makes building apps fast but frequently yields insecure or nonfunctional code that can expose sensitive data. Non-technical creators should treat AI output as a draft: verify and test code, protect secrets by using environment variables, prefer reputable libraries, and enforce secure defaults. Regular backups, sandbox testing, dependency updates, and secret scanning help reduce exposure.
read more →

AWS KMS Adds Last-Usage Visibility for Keys Across Regions

🔒 AWS Key Management Service (KMS) now surfaces the timestamp, operation type, and AWS CloudTrail event ID for the last cryptographic operation performed with each KMS key, viewable in the console or via API. This eliminates manual log queries and helps administrators and compliance teams quickly identify unused keys, verify active usage, and trace key activity. A new condition key, kms:TrailingDaysWithoutKeyUsage, enables policy-based protection against accidental deletion of recently used keys, and the capability is available in all AWS Regions including GovCloud and China.
read more →

AWS Secrets Manager Adds MongoDB and Confluent Support

🔐 AWS Secrets Manager now supports managed external secrets for MongoDB Atlas and Confluent Cloud, enabling centralized secret storage and automatic rotation without building custom Lambda rotation functions. The MongoDB integration handles database user credentials (SCRAM) and service account OAuth client ID/secret; Confluent automates API key rotation for service accounts with cluster-scoped and cloud resource management keys. Automatic rotation is enabled by default to remove hardcoded credentials and reduce operational overhead.
read more →

AWS Glue Adds OAuth 2.0 Support for Snowflake Connectivity

🔒 AWS Glue now supports OAuth 2.0 for native Snowflake connectivity, allowing customers to read from and write to Snowflake without sharing persistent user credentials. This token-based authorization uses temporary access tokens to eliminate credential management, enabling granular permissions and improved auditability. The built-in AWS Glue Snowflake connector with OAuth is available in all AWS commercial regions, simplifying secure data integration.
read more →

Webinar: Eliminating Orphaned Non-Human Identities at Scale

🔐 This live webinar explains why unmanaged non-human identities—service accounts, API tokens, AI agent connections, and OAuth grants—are now a primary vector for cloud breaches. You will learn a repeatable discovery process to surface every automated credential, a framework to right-size permissions, and how to implement an automated lifecycle policy so dead credentials are revoked. Attendees receive an Identity Cleanup Checklist to apply immediately.
read more →

Improved Developer Security for Non-Human Identities and Tokens

🔐 Cloudflare announces updates to secure non-human identities—agents, scripts, and third-party tools—by enhancing credential detection, OAuth visibility, and resource-scoped RBAC. New scannable token formats (with identifiable prefixes and checksums) and integration with GitHub Secret Scanning enable rapid verification and automated revocation of leaked tokens. Cloudflare One DLP extends prevention across network, email, SaaS, and AI traffic. The Dashboard now surfaces connected OAuth apps and permissions to simplify review and revocation.
read more →